The Samba-Bugzilla – Bug 9788
'acl:search = no' problem is not fully fixed and parameter is still required
Last modified: 2015-07-31 08:24:27 UTC
Created attachment 8768 [details]
Level 10 debug log of a failed try to join Win7 (without acl:search=no parameter)
I'm sorry, but the 'acl:search=no' workaround is still required and not fully fixed.
Yesterday we switched to 4.0.5 and I run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset all my ACLs. Then I recreated the delegation, so members of a group can join computers to the domain without having domain admin permissions (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Add_delegation). The join as a member of that group worked as expected.
Then I removed the 'acl:search=no' parameter from smb.conf and restarted samba. Now XP says, when trying to join, 'access denied' and Win7 says 'wrong parameter' and the joins didn't work.
After I add the parameter again to smb.conf, the join worked fine again.
As I indicated on the lists, we really need a concrete test (modification to acl.py hopefully) that fails against Samba and passes against Windows, in order to make progress here.